Microsoft has kicked off its Patch Tuesday cycle for 2023 with 98 patches; 11 of these are critical, and Microsoft is aware of an exploit for one.
The exploited zero-day is CVE-2023-21674, a Windows Advanced Local Procedure Call (ALPC) escalation of privilege.
According to The SANS Institute’s analysis, CVE-2023-21674 is a sandbox escape that gives the attacker SYSTEM-level privileges.
CVE-2023-21549 is an escalation of privilege that was previously disclosed.
According to Microsoft, a malicious script that execute an RPC call to an RPC host could give the attacker elevated privileges on the server.
CVE-2023-21561 is also a privilege escalation bug, this time in Microsoft Cryptographic Services.
“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft’s advisory stated.
Microsoft has also disclosed five critical vulnerabilities in its Layer 2 Tunneling Protocol (L2TP): CVE-2023-21546, CVE-2023-21543, CVE-2023-21555, CVE-2023-21556, and CVE-2023-21679.
All of these vulnerabilities expose a Windows RAS server to remote code execution by sending the target a crafted packet.